[Buildroot] [RFC v9 01/10] cpe-info: new make target

Thomas Petazzoni thomas.petazzoni at bootlin.com
Wed Jul 1 11:57:47 UTC 2020


On Wed, 01 Jul 2020 09:43:10 +0200
Gregory CLEMENT <gregory.clement at bootlin.com> wrote:

> > It's not great because it means adding gazillions of CPE_ID information
> > in packages. But is there any other option ?  
> I am working on a adding a tool allowing to check the cve status of a
> given configuration. I am about to submit it. For now I base my check on
> the buildroot package name as it is done in pkg-stat, but as you know
> there are some mismatch. At a point there will be the need to use the
> CPE information, so I have already had to think on how to manage it.
> I already have to deal with failure when checking if a version was
> affected by a CVE. And for this situation I choose to report that
> failure instead of considering the package being affected or not by
> default. The idea is to, later, be able to fix the failure but in the
> meantime being aware of it.
> For package name I would use a similar approach: if there is no CPE_ID
> provided then try to use the package name but in this case report that
> it has to be checked manually, while if there is a CPE_ID then use it as
> a reliable name. So I am clearly in favor on the second option proposed
> by Thomas. The ultimate goal is to have a CPE_ID information in each
> package but in the meantime there is a path to achieve this.

This all looks sensible to me, so please go ahead and submit the
initial work you have, even without CPE ID support for now.


Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering

More information about the buildroot mailing list